Hi, me again.

I just found out maybe a bug of Intalio|AJAX. It seems it doesn't escape characters before posting to the server.

For example, if I have a textbox, and I input something like "</injected>", then it'll cause an exception on the server side because the AJAX engine posts "</injected>" without escaping the characters and the resulting XML is invalid.

So is there any particular reason why it doesn't check for the input, or is it really a bug?

Thanks.

AJAX does escape the input but it looks like the server un-escapes it at some point.

For instance, if I submit </injected> as a text input it will submit the following:

<jsx1:input>
<a0:FormModel xmlns:a0="http://www.intalio.com/gi/Test.gi">
<textbox></injected></textbox>
</a0:FormModel>
</jsx1:input>

I'm going to ask someone on the server team about this.

Not sure if my last post made it here. Posting again...

AJAX does escape inputs. But it looks like the server un-escapes it at some point.

Asking someone on the server team about this.

Hi it's me again.

AJAX does escape the input, but it doesn't encode the POST parameters.

For example, when "</injected>" is entered, AJAX will POST the following to "/gi/validation"

Code: :

assembly=MyProcess&form=MyAjaxFormForm.gi&message=<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body> ...<strong><my-mapping-field></injected></my-mapping-field></strong>... </SOAP-ENV:Body> </SOAP-ENV:Envelope>

So the real problem is the "&" in html entities will be interpreted as the parameter seperator, i.e.the message parameter is truncated at the right before "<".

I believe this is a bug.

Sorry the forum escaped my output, :S

Attached a screenshot, the problem is highlighted. The "&" in the highlighted part truncated the "message" parameter.

screenshot